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DETAILED ACTION 



1. 



Claims 1 



6,8-12 are pending for examination. 



2. 



Claims 1 



6,8-12 are rejected. 



Claim Rejections - 35 USC §102 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

3. Claims 1- 6,8-12 are rejected under 35 U.S.C. 102(b) as being anticipated by Shipley, 
U.S. Patent 6,1 19,236. 

4. As per claim 1 ; "A method of analyzing network communication traffic for potential 
intrusion activity, comprising the steps of 

assigning packets to a flow [col. 3, lines 17-col. 12,line 35, whereas the "... dynamically 
detect patterns of behavior automatically determining the configuration of the LAN. . 

etc., clearly encompasses the claimed limitations, insofar as for the determining /detection 
/comparison /control of the firewall to occur, that which is compared to the packet flow clearly 
must be defined /assigned, as broadly interpreted by the examiner.]; 

collecting flow data fi*om packet headers [col. 3,lines 17-col. 12,line 35, whereas the "... 
dynamically detect patterns of behavior "... automatically determining the configuration of 
the LAN..,", etc., clearly encompasses the claimed limitations, insofar as for the determining 
/detection /comparison /control of the firewall to occur, the packet flow clearly must be collected 
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per se, and such collection involves collection of the packets header data (i.e., the IP address, 

port, status flags, etc.,), as broadly interpreted by the examiner.]; 

analyzing collected flow data to assign a concern index value to the flow based upon a 

probability that the flow was not normal for data communications [col. 3,lines 17-col. 12,line 35, 

whereas the "... assign weight to breach. . . ", and "... so as a weighted average might be used ..." 

aspects of the post ". . . look for known patterns . . .", clearly encompasses the claimed limitations 

as broadly interpreted by the examiner.]; 

maintaining an accumulated concern index from flows associated with a host; and 
issuing an alarm signal once the accumulated concern index has exceeded an alarm 

threshold value [col. 3,lines 17-col. 12,line 35, whereas the "... assign weight to breach...", and 

". . . react operation ..." aspects of the post "... look for known patterns . . .", that involve the 

control and notification of the network associated firewall /gateway node, clearly encompasses 

the claimed limitations as broadly interpreted by the examiner.].". 

5. Claim 2 additionally recites the limitation that; "The method of claim 1, 

wherein the flow consists of the packets exchanged between two hosts that are associated 
with a single service.". 

The teachings of Shipley suggest such limitations (col. 3,lines 17-col. 12,line 35, whereas the 
LAN and network aspects of the INSD interfaced to said network of multiple nodes, and the 
Internet /LAN port aspects insofar as port identification as relates to the Internet deals with port 
to port service designation, clearly encompasses the claimed limitations as broadly interpreted by 
the examiner.). 
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6. Claim 3 additionally recites the limitation that; "The method of claim 1, 

wherein the alarm signal updates a firewall for filtering packets transmitted by a host. 
The teachings of Shipley suggest such limitations (col. 3,lines 17-col. 12,line 35, whereas the 
. . assign weight to breach. and . , react operation ..." aspects of the post ". . . look for 
known patterns that involve the control and notification of the network associated firewall 
/gateway node, clearly encompasses the claimed limitations as broadly interpreted by the 
examiner,). 

7. Claim 4 additionally recites the limitation that; "The method of claim 1, 
wherein the alarm signal generates a notification to the network administrator.". 

The teachings of Shipley suggest such limitations (col. 3,lines 17-col. 12,line 35, whereas the 
"... assign weight to breach. . . and "... react operation ..." aspects of the post "... look for 
known patterns . . .", that involve the control and notification of the network associated firewall 
/gateway node and subsequent "... network administrator has time to evaluate . . .", clearly 
encompasses the claimed limitations as broadly interpreted by the examiner.). 

8. Claim 5 additionally recites the limitation that; "The method of claim 1, 

wherein each concern index value associated with a respective potential intrusion activity 
is a predetermined fixed value.". 

The teachings of Shipley suggest such limitations (col. 3,lines 17-col. 12,line 35, whereas the 
". . . assign weight to breach. . .", and "... so as a weighted average might be used ..." aspects of 
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the post ". . . look for known patterns . . clearly encompasses the claimed limitations, insofar as 
an average is a "predetermined fixed value", as broadly interpreted by the examiner.). 

9. As per claim 6; "A method of analyzing network communication traffic for potential 

intrusion activity, comprising the steps of: 
assigning packets to a flow 

wherein a flow consists of the packets exchanged between two hosts that are 
associated with a single service [col. 3,lines 17-col. 12,line 35, whereas the LAN and 
network aspects of the INSD interfaced to said network of multiple nodes, and the 
Internet /LAN port aspects insofar as port identification as relates to the Internet deals 
with port to port service designation, clearly encompasses the claimed limitations as 
broadly interpreted by the examiner.]; 

collecting flow data from packet headers [col. 3,lines 17-col. 12,Iine 35, whereas the "... 
dynamically detect patterns of behavior automatically determining the configuration of 

the LAN. . etc., clearly encompasses the claimed limitations, insofar as for the determining 
/detection /comparison /control of the firewall to occur, the packet flow clearly must be collected 
per se, and such collection involves collection of the packets header data (i.e., the IP address, 
port, status flags, etc.,), as broadly interpreted by the examiner.]; 

analyzing collected flow data to assign a concern index value 

wherein each concern index value associated with a respective potential intrusion 

activity is a predetermined fixed value [col. 3,lines 17-col. 12,line 35, whereas the ". . . 

assign weight to breach. . and "... so as a weighted average might be used ..." aspects 
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of the post . . look for known patterns ..." clearly encompasses the claimed limitations, 
insofar as an average is a "predetermined fixed value", as broadly interpreted by the 
examiner.]; 

maintaining an accumulated concern index from flows associated with a host; and 
issuing an alarm signal once the accumulated concern index has exceeded an alarm 
threshold value [col. 3,Hnes 17-col. 12,line 35, whereas the "... assign weight to breach...", and 
"... react operation ..." aspects of the post "... look for known patterns . . . that involve the 
control and notification of the network associated firewall /gateway node, clearly encompasses 
the claimed limitations as broadly interpreted by the examiner.]." 

10, As per claim 8; "A method of analyzing network communication traffic for potential 

intrusion activity, comprising the steps of: 
assigning packets to a flow 

wherein a flow consists of the packets exchanged between two Internet Protocol 
addresses with at least one port remains constant [col. 3,lines 17-col. 12,line 35, whereas 
the LAN and network aspects of the INSD interfaced to said network of multiple nodes, 
and the Internet /LAN port aspects insofar as port identification as relates to the Internet 
deals with port to port service designation, clearly encompasses the claimed limitations as 
broadly interpreted by the examiner.]; 

collecting flow data fi-om packet headers [col. 3,lines 17-col. 12,line 35, whereas the ", . . 
dynamically detect patterns of behavior ...","... automatically determining the configuration of 
the LAN...", etc., clearly encompasses the claimed limitations, insofar as for the determining 
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/detection /comparison /control of the firewall to occur, the packet flow clearly must be collected 
per se, and such collection involves collection of the packets header data (i.e., the IP address, 
port, status flags, etc.,), as broadly interpreted by the examiner.]; 

analyzing collected flow data to assign a concern index value to the flow [col. 3,lines 17- 
col. 12,line 35, whereas the . . assign weight to breach. . and , . so as a weighted average 
might be used ..." aspects of the post "... look for known patterns . . .", clearly encompasses the 
claimed limitations, insofar as an average is a "predetermined fixed value", as broadly 
interpreted by the examiner.]; 

maintaining a host structure containing an accumulated concern index from flows 
associated with the host; and 

issuing an alarm once the accumulated concern index has exceeded an alarm threshold 
value [col. 3,lines 17-col. 12,line 35, whereas the "... assign weight to breach...", and "... react 
operation ..." aspects of the post " . . . look for known patterns . . . ", that involve the control and 
notification of the network associated firewall /gateway node, clearly encompasses the claimed 
limitations as broadly interpreted by the examiner.]." 

1 1 . Claim 9 additionally recites the limitation that; "The method of claim 8, 

wherein each concern index value associated with a respective potential intrusion activity 
is a predetermined fixed value.". 

The teachings of Shipley suggest such limitations (col. 3,lines 17-col. 12,line 35, whereas the 
". . . assign weight to breach. , .", and "... so as a weighted average might be used ..." aspects of 
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the post "... look for known patterns . . .", clearly encompasses the claimed limitations, insofar as 
an average is a "predetermined fixed value", as broadly interpreted by the examiner.). 

12. As per claim 10, this claim is the apparatus/system for the method claim 6 above, and is 
rejected for the same reasons provided for the claim 6 rejection; "A system for analyzing 
network communication traffic, comprising: 

a computer system operable to 

classify packets into flows, 

collect flow data from packet header information, 

analyze collected flow data to assign a concern index value 

wherein each concern index value associated with a respective potential 

intrusion activity is a predetermined fixed value, and 

generate an alarm signal; and 
a communication system coupled to the computer system operable to 

send packets from one host to another host." 

13, As per claim 11, this claim is the apparatus/system for the node processor element with 
associated database element for the method claim 6 above, and is rejected for the same reasons 
provided for the claim 6 rejection; "A system for analyzing network communication traffic, 
comprising: 

a processor operable to 

classify packets into flows, 
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collect flow data from packet header information, 

analyze collected flow data to assign a concern index value 

wherein each concern index value associated with a respective potential 

intrusion activity is a predetermined fixed value, and 

generate an alarm signal; 
memory coupled to the processor operable to store the flow data; 
a database coupled to processor operable to 

store log files; and 
a network interface coupled to the processor operable to 

monitor network traffic." 



14. As per claim 12, this claim is a specific attack method for claim 1 above, and is rejected 
for the same reasons provided for the claim 1 rejection; "A method of analyzing network 
communication traffic for potential intrusion activity, comprising the steps of: 
analyzing packet header information; 

determining a transport level protocol specifying a format of a data area [col. 3,lines 17- 
col. 12,line 35, generally, and col. 6,lines 31-67 more specifically, whereas the "... access ports 
that do not exist . . .", and "... the multitude of responces (such as synchronization requests) 
forthcoming through the internet ..." aspects of ".. .determining a transport level protocol . . .", 
that involves the DOS type attack (i.e., SYN flooding use of minimal byte data field, at the 
transport layer), clearly encompasses the claimed limitations as broadly interpreted by the 
examiner.]; 
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issuing an alarm when 

the transport level protocol is identified as User Datagram Protocol and 
the data segment associated with User Datagram Protocol packet contains 
two or 

less bytes of data [col. 3,lines 17-col. 12,line 35, whereas the "... assign 
weight to breach. . and ". . . react operation ..." aspects of the post . . issuing 
an alarm . . . transport level protocol . . . User Datagram Protocol packet contains 
. . that involve the control and notification of the network associated firewall 
/gateway node, clearly encompasses the claimed limitations as broadly interpreted 
by the examiner.]." 
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Conclusion 



15. Any inquiry concerning this communication or earlier communications from examiner 
should be directed to Ronald Baum, whose telephone number is (571) 272-3861, and whose 
unofficial Fax number is (571) 273-3861. The examiner can normally be reached Monday 
through Thursday from 8:00 AM to 5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh, can be reached at (571) 272-3795. The Fax number for the organization 
where this application is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. For more information for 
unpublished applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov . Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




